Ethical hackers expose FIA driver portal flaw that left Verstappen’s ID at risk — patched within a day
A trio of security researchers says they found a way into an FIA-run driver portal that exposed sensitive documents — including Max Verstappen’s passport and licence — in a matter of minutes, prompting world motorsport’s governing body to rush out a fix inside 24 hours.
The breach, discovered in June and revealed this week, wasn’t a smash-and-grab. The researchers — Gal Nagli, Sam Curry and Ian Carroll — describe it as a controlled test designed to prove a weakness rather than plunder data. They say they stopped short of downloading anything and immediately flagged the issue to the FIA, which then secured the system and notified the relevant authorities.
“We found a severe vulnerability in a critical FIA portal,” Nagli explained, adding it took about 10 minutes to reach highly sensitive records tied to Verstappen and, by extension, other F1 drivers. The researchers say they validated access with screenshots, halted testing, deleted what they’d captured for proof, and did not save or exfiltrate any personal information.
The FIA, for its part, says it moved quickly to lock things down. “The FIA became aware of a cyber incident involving the FIA Driver Categorisation website over the summer,” a spokesperson said. “Immediate steps were taken to secure drivers’ data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA’s obligations. It has also notified the small number of drivers impacted by this issue. No other FIA digital platforms were impacted.”
The governing body added that it has “invested extensively in cyber security and resilience measures” and follows a “security-by-design” policy for new digital projects.
Behind the tech jargon is something very real: travel IDs, licence documentation and private correspondence that follow drivers everywhere, from immigration desks to medical clearances. In the wrong hands, that’s a nightmare. In the right hands — in this case, researchers treating it as a red-team exercise — it’s a stress test that got fixed before it became a headline for the wrong reasons.
It’s also not the first scare. Last year the FIA disclosed that phishing attacks had led to unauthorised access to two email accounts. The body said it swiftly cut off the intrusions and notified French and Swiss data regulators. Different entry point, same lesson: in a sport built on secrecy and speed, the digital perimeter is only as strong as its quietest corner.
There’s a broader tension here, too. Formula 1 is more online than ever — accreditation portals, remote briefings, logistics, medical records, the lot — and the ecosystem around it is sprawling. Teams and drivers may lock down their own systems, but a single vulnerable third-party portal can still open the door. That’s what makes this episode noteworthy: the alleged access path wasn’t to a team’s vault, but to an FIA-managed platform drivers are required to use.
The good news is that this was a cooperative catch. The researchers reported the flaw; the FIA patched it quickly; and, according to all involved, no driver data was taken. But anyone in the paddock will read this and wonder how many other legacy logins and niche portals are one simple flaw away from trouble.
Expect some quiet housekeeping in the weeks ahead: password resets, multi-factor logins, stricter access controls and a fresh round of internal phishing drills. None of that will make the highlight reels, but it’s the kind of diligence that keeps passports off the internet and drivers focused on lap times, not login screens.
Off-track, security is now a performance metric. On this occasion, the FIA reacted fast and the white hats did the sport a favour. Next time, they’ll hope the only thing going through the checks that quickly is a Red Bull on a qualifying lap.
